URL: https://github.com/SSSD/sssd/pull/615
Author: jhrozek
Title: #615: SDAP: Improve a confusing DEBUG message when initgroups search
matches multiple entries
Action: opened
PR body:
"""
If SSSD is searching for a user using a name-based filtrer in an
environment that uses nested OUs or sub domains, it is expected the search
can return two or more entries. The correct entry is then matched using the
domain name.
But the error message was confusing admins, because it simply said
"Expected one entry, found %d". This patch softens this error message and
rewords the message in case the matching fails.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/615/head:pr615
git checkout pr615
From 194059405bb84bc9913b82b44e30a87acc4d49b1 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Wed, 11 Jul 2018 09:16:52 +0200
Subject: [PATCH] SDAP: Improve a confusing DEBUG message when initgroups
search matches multiple entries
If SSSD is searching for a user using a name-based filtrer in an
environment that uses nested OUs or sub domains, it is expected the
search can return two or more entries. The correct entry is then matched
using the domain name.
But the error message was confusing admins, because it simply said
"Expected one entry, found %d". This patch softens this error message
and rewords the message in case the matching fails.
---
src/providers/ldap/sdap_async_initgroups.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/src/providers/ldap/sdap_async_initgroups.c b/src/providers/ldap/sdap_async_initgroups.c
index 03f6de01a..cbe8a4cfe 100644
--- a/src/providers/ldap/sdap_async_initgroups.c
+++ b/src/providers/ldap/sdap_async_initgroups.c
@@ -3000,8 +3000,9 @@ static void sdap_get_initgr_user(struct tevent_req *subreq)
} else if (count == 1) {
state->orig_user = usr_attrs[0];
} else if (count != 1) {
- DEBUG(SSSDBG_OP_FAILURE,
- "Expected one user entry and got %zu\n", count);
+ DEBUG(SSSDBG_FUNC_DATA,
+ "The search returned %zu entries, need to match the correct one\n",
+ count);
/* When matching against a search base, it's sufficient to pick only
* the first search base because all bases in a single domain would
@@ -3010,9 +3011,10 @@ static void sdap_get_initgr_user(struct tevent_req *subreq)
ret = sdap_search_initgr_user_in_batch(state, usr_attrs, count);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE,
- "sdap_search_initgr_user_in_batch failed. "
- "No matching DN found.\n");
- tevent_req_error(req, EINVAL);
+ "sdap_search_initgr_user_in_batch failed [%d]: %s :"
+ "SSSD can't select a user that matches domain %s\n",
+ ret, sss_strerror(ret), state->dom->name);
+ tevent_req_error(req, ret);
return;
}
}
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/36KRYL6LSYJICIFNOKR6UWC2DW76SVEG/
